Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If this is an Impact Level 2 IaaS/PaaS implementation, this requirement is not applicable. Review the architecture for the IaaS. Verify that for dedicated infrastructure mission Impact Levels 4–5, the IaaS implements a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection. For IaaS Levels 4–5, if the IaaS does not implement a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection, this is a finding.
FedRAMP Moderate, High. For dedicated infrastructure with an ICAP/BCAP connection (Levels 4–5 and on-premise Impact Level 2), ensure the IaaS/PaaS implements a security stack that restricts traffic flow inbound and outbound between the IaaS/PaaS and the BCAP or ICAP connection.
If this is a Software as a Service (SaaS), this is not a finding. If Impact Level 2, but the cloud service provider (CSP) has control over the environment, this is not a finding. Verify that virtual internet-facing applications are configured to traverse the CAP and VDSS prior to communicating with the internet. If virtual internet-facing applications permit direct access to the CSP or the internet, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure virtual internet-facing applications to traverse the CAP and VDSS prior to communicating with the internet.
If this is a Software as a Service (SaaS), this is not applicable. This applies to all Impact Levels. Review the configuration of the IaaS/PaaS. Verify that the IP address of an ACAS server is configured. Verify the flaw remediation data is also being communicated to the cybersecurity service provider (CSSP). If the PaaS/IaaS does not implement scanning using an ACAS server or CSP-provided solution that meets DOD scanning and reporting requirements, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IP address of an ACAS server or another solution that meets DOD scanning and reporting requirements.
This applies to all Impact Levels. If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify the IaaS/PaaS is configured to maintain logical separation of all management and data traffic. If the IaaS/PaaS does not maintain separation of all management and data traffic, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to maintain separation of all management and data traffic.
If this is a Software as a Service (SaaS), this is not applicable. Review the Service Level Agreement and architecture documentation. Verify the virtual IDPS is in place by inspecting the architecture diagrams. Verify it is placed to monitor and protect the IaaS, PaaS, and interconnected host VMs. Verify a secure (encrypted) connection exists between the virtual IDPS capabilities and the CSSP responsible for the mission system/application. If the Mission Owner has not configured the IaaS or PaaS IDPS to monitor and protect the IaaS and interconnected VMs, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure a virtual IDPS to monitor and protect the DOD VMs, services, and applications.
If this is a Software as a Service (SaaS), this is not applicable. Inspect the firewall and/or intrusion detection and prevention system (IDPS) access control lists (ACLs) and filters on the firewall inbound interfaces. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices. If the IaaS/PaaS does not continuously monitor inbound communications from external systems, other IaaS, or collocated mission applications within the same cloud service environment for unusual or unauthorized activities or conditions, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the firewall and/or IDPS for continuous monitoring of all communications inbound to the virtual IaaS or PaaS. Configure the ACLs and security rules to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or unusually high traffic from particular segments or devices.
If this is a Software as a Service (SaaS), this is not applicable. Inspect the firewall and/or or intrusion detection and prevention system (IDPS) access control lists (ACLs) and filtering rules that filter traffic on any outbound interface from the IaaS and systems. Verify these rules are configured for continuous monitoring. Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices. If the IaaS/PaaS does not continuously monitor outbound communications to other enclaves and systems for unusual or unauthorized activities or conditions, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the firewall and/or IDPS for continuous monitoring of all communications outbound from the virtual IaaS or PaaS. Configure any ACLs and filtering rules on outbound interfaces to detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.
This applies to all Impact Levels. If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify that a FIPS 140-2/3 compliant communication protocol is configured for communication between the implemented systems/applications and the DOD OCSP responders. If the cloud IaaS/PaaS does not implement a secure (encrypted) connection or path between the implemented systems/applications and the DOD OCSP responders, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to implement an encrypted path that is FIPS 140-2/3 compliant between the implemented systems/applications and the DOD OCSP responders.
This applies to all Impact Levels. If this is a Software as a Service (SaaS) implementation, this is not a finding. Verify that a valid DOD OCSP responder is configured for the implemented systems/applications. If the cloud IaaS/PaaS does not use an approved DOD OCSP responder, this is a finding.
This applies to all Impact Levels. FedRAMP Moderate, High. Configure the IaaS/PaaS to use an approved DOD OCSP responder.